Security::Finding uses context unaware UUID

Ryan Wellsrequested to merge
rw/security-findings-have-context-unaware-uuid into master

What does this MR do and why?

Security::Finding uses context unaware UUID

Right now, we ingest Security::Findings using a context-aware UUID. This is problematic because all of the MR approval policies do comparisons using UUIDs, which if we make the UUID context-aware will never match!

This MR changes how we handle UUIDs between Security::Findings and Vulnerability::Findings - always context-unaware for a Security::Finding and context-aware for Vulnerability::Finding.

Walkthrough

Ingestion starts with report parsing and the creation of Ci::Reports::Security::Finding records. These are in-memory objects not backed by ActiveRecord/database row. These Ci::Reports::Security::Finding records track three UUIDs through ingestion:

  1. uuid - a tracked-context-aware UUID.
  2. context_unaware_uuid - a tracked-context-unaware UUID.
  3. overridden_uuid - nil at this stage.

Next, the OverrideUuidsService runs to determine if any of these Ci::Reports::Security::Finding records match a previously-ingested Vulnerabilities::Finding. If we find a match, we update the Ci::Reports::Security::Finding UUIDs to:

  1. uuid - the tracked-context-aware UUID of the matching Vulnerabilities::Finding
  2. context_unaware_uuid - the tracked-context-unaware UUID of the matching Vulnerabilities::Finding.
  3. overridden_uuid - the context_unaware_uuid of the current Ci::Reports::Security::Finding record. (this is updated first, I've just maintained the order of the list for easier parsing)

We then ingest Security::Finding records where we set the uuid of the Security::Finding to be the context_unaware_uuid - the crux of this whole MR! The overridden_uuid on the Security::Finding is set if it has been overridden, but that behaviour is not changed in this MR.

If we are on a tracked branch, we then ingest Vulnerabilities::Finding records. We create a collection of FindingMaps and correlate them with the Ci::Reports::Security::Finding using the context_unaware_uuid . Each FindingMap stores the context_unaware_uuid in the new_uuid field so that we can reverse-map it in the earlier OverrideUuidsService pass. This column name should be updated in the future to have a much better name.

The rest of this change is largely wiring and test updates to reflect these changes.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ryan Wells

Merge request reports